Bugtraq mailing list archives
Re: httpd symlinks
From: jlewis () inorganic5 chem ufl edu (Jon Lewis)
Date: Tue, 5 Sep 1995 00:34:43 -0400
On Mon, 4 Sep 1995, Daniel S. Riley wrote:
Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely documented.SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is also broken. Here's the bug report I submitted to the ncsa-httpd team:
I was just fooling around and was shocked to find that SymLinksIfOwnerMatch is totally broken in the version of Apache I've been using. I created a symlink from a public_html dir to / and was able to see /. I downloaded/compiled the latest apache and did some testing of SymLinksIfOwnerMatch with various versions of httpd I had handy and found the following: NCSA 1.3 works, even on double symlinks Apache 0.6.2 works on symlinks, broken for double symlinks Apache 0.8.8 broken for symlinks and double symlinks Apache 0.8.11 works, even on double symlinks By "works", I mean it gave a Forbidden message when the symlink was tried...by "broken", I mean symlinks were followed when they should not have been. ------------------------------------------------------------------ Jon Lewis | Mime attachments are OK jlewis () inorganic5 chem ufl edu | But please ask before sending http://inorganic5.chem.ufl.edu | unsolicited huge files. | _____Finger jlewis () inorganic5 chem ufl edu for PGP public key_____
Current thread:
- Re: httpd symlinks Daniel S. Riley (Sep 04)
- Re: httpd symlinks Jon Lewis (Sep 04)
- <Possible follow-ups>
- Re: httpd symlinks Panzer Boy (Sep 07)